In my previous post I wrote about FeedDemon's security features, the most important of which is the fact that FeedDemon's newspapers operate in Internet Explorer's "Internet Zone" instead of the less secure local zone. This means that even if someone finds a way to trick FeedDemon into running script, it can't access the local zone (so it can't touch your hard drive, for example).
It's a good thing that FeedDemon has this feature, because while I was on vacation, Sam Ruby and James Snell talked about ways to get feed readers to run script - some of which FeedDemon is vulnerable to.
I want to stress that none of these vulnerabilities compromise your local machine, but as James Snell discusses in a subsequent blog post, the fact that script can be run inside FeedDemon is still a problem, and it's one I take very seriously. If nothing else, these vulnerabilities could be very annoying if exploited. For example, if someone hacked a popular feed so that it contained an exploit which forced a JavaScript popup to appear to all subscribers, there would be a lot of unhappy feed consumers out there.
I also want to add that every feed reader I tried is vulnerable to the same exploits, but I realize that's no excuse for my own code and it's small relief to FeedDemon users.
I've spent the past week fixing these flaws, and James Snell has kindly tested a private FeedDemon build and found that every vulnerability has been addressed. We plan to release this new build (v2.0.0.25) as soon as we've completed testing it (which may take a few days).
In the future I plan to write about how the specific vulnerabilities were resolved, but I don't want to do that until I'm sure that other feed readers have patched them. In the meantime, if you're the known author of a feed reader and would like details on the solutions, please feel free to contact me - I'd be happy to share the logic behind the fixes.
As a side note, I'd like to thank those who let us know about the problems before making them public. This was a responsible way to get the vulnerabilities fixed without putting customers at risk, and we appreciate it.
Reading this post, I again realize that the (little bit of) money I spent to buy FeedDemon, was very well spent. Thanks.
Posted by: Anne | Wednesday, August 23, 2006 at 04:08 PM
Thanks, Nick, for jumping on this. I'm with Anne on the worth of the investment.
Posted by: Sterling Camden | Wednesday, August 23, 2006 at 07:56 PM
Thanks a lot for commenting on this. We have decided to go with another approach and did not use the IE engine, but just an html viewer to show the rss feeds in our reader. So no vulnerabilities from this side, because there is no engine to execute any script language.
I wonder, if there is not way to stop script execution completely in the IE activex.
Posted by: Siegfried | Thursday, August 24, 2006 at 07:08 AM
Anne, Sterling: thanks for the kind words!
Siegfried: there is a way to turn off scripting in the IE engine, but that also means that FeedDemon newspapers can't use JavaScript. Also, I should add that the exploits aren't specific to using the IE engine - web-based aggregators are vulnerable as well, even when viewed in Firefox.
Posted by: Nick Bradbury | Thursday, August 24, 2006 at 07:53 AM
Glad to hear you're on top of it, Nick :D
Posted by: Andrew Herron | Thursday, August 24, 2006 at 09:55 AM
Nick. I would like to contact you about the details of your solution but have no idea where to find your email :).
Ben
Posted by: Ben | Saturday, August 26, 2006 at 04:38 AM
Ben, I have your email, so I'll drop you a note shortly.
Posted by: Nick Bradbury | Saturday, August 26, 2006 at 01:01 PM
Nick, as the developer of a 'hybrid' RSS reader, I'd be interested in your solution to these issues too. Thanks!
Posted by: Brian Schneeberg | Wednesday, August 30, 2006 at 07:41 PM
Brian, I'm traveling for a couple of days and don't have the details with me, but I'll email you the details when I return home.
Posted by: Nick Bradbury | Thursday, August 31, 2006 at 01:05 PM